Many operating systems include advanced crash dumping mechanisms. When the crash dumping mechanism is enabled, the system is booted from the context of another kernel than the main operating kernel. This second kernel reserves a small amount of memory and its purpose is to capture crash data, such as a core dump image (e.g., core file) of the kernel when the system crashes. The ability to analyze the core file significantly helps to determine the exact cause of system failure.
Many current operating systems (OSes) implement a security labeling feature, such as Mandatory Access Control (MAC) labeling of SELinux™. However, when creating and saving the core file upon a system crash, a problem may arise with the security labeling of the core file. For example, when the core file is captured, a root file system might not be mounted for use by the second kernel and, as a result, the core file may be saved to a disk that is not the root disk. Accordingly, this results in the OS security labeling policy not being available at the time of saving the core file and not being able to apply the security label on core file at the time of system crash. This can potentially be a security issue as the core file will be unlabeled when system boots back in the main operating kernel.